Mysql_real_escape_string () is considered a good alternative to addslashes () and mysql_escape_string (), which can solve the problem of wide-byte and injection, but the official description of it is not clear:
Mysql_real_escape_string-escapes special characters in strings used in SQL statements, and takes into account the current character set of the connection
This sentence really does not understand, considering the connection of the current character set what meaning, please master detailed talk, thank you!
Reference:
http://php.net/manual/zh/function.mysql-real-escape-string.php
Http://www.cnblogs.com/suihui/archive/2012/09/20/2694751.html
Http://www.neatstudio.com/show-963-1.shtml
Supplementary questions: @ Acting and acting
1. Add the \ does not pass into MySQL, then if injected ' or 1=1;-- s
, the injection content here eventually did not upload to MySQL to execute it?
Reference: https://segmentfault.com/q/1010000005994443
2. 并考虑到连接的当前字符集
What do you mean? Change the character set of the current connection?
Reply content:
Mysql_real_escape_string () is considered a good alternative to addslashes () and mysql_escape_string (), which can solve the problem of wide-byte and injection, but the official description of it is not clear:
Mysql_real_escape_string-escapes special characters in strings used in SQL statements, and takes into account the current character set of the connection
This sentence really does not understand, considering the connection of the current character set what meaning, please master detailed talk, thank you!
Reference:
http://php.net/manual/zh/function.mysql-real-escape-string.php
Http://www.cnblogs.com/suihui/archive/2012/09/20/2694751.html
Http://www.neatstudio.com/show-963-1.shtml
Supplementary questions: @ Acting and acting
1. Add the \ does not pass into MySQL, then if injected ' or 1=1;-- s
, the injection content here eventually did not upload to MySQL to execute it?
Reference: https://segmentfault.com/q/1010000005994443
2. 并考虑到连接的当前字符集
What do you mean? Change the character set of the current connection?
That's what this is about, MySQL. GBK Double byte injection
For example, a user login assumes your SQL statement:
$sql = "select * from user where user_name='$username' and password='$password'";
1 if there is an injection point and is not escaped. Pass parameter username= ' or 1=1;--s then the SQL statement at this point is
$sql = "select * from user where user_name='' or 1=1;-- s ' and password='$password'";
Because--it's an annotation character, so you don't have to go around
2 If there is an injection point and a special character escape is used. So the SQL statement at this point is
$sql = "select * from user where user_name='\' or 1=1;-- s ' and password='$password'";
Cannot bypass
3 This time the problem comes, the awesome hacker has discovered that there is a wide-byte injection of GBK encoding. This time pass username=%df%27 or 1=1;--
The SQL statement that was executed at this time becomes:
$sql = "select * from user where user_name='運' or 1=1;-- s ' and password='$password'";
Successful bypass
How to solve this problem
Mysql_real_escape_string-escapes special characters in strings used in SQL statements, and takes into account the current character set of the connection
mysql_real_escape_string
Method The SQL
escape mechanism of the statement, which changes with the character set of the current database connection. The same SQL
statement, under different character sets, is not necessarily the same as the result of escaping.
Important:
mysql_real_escape_string
Method is mysql
an extension that has been PHP
marked obsolete since the version 5.5.0
and PHP
7
is removed after the version. Please use mysqli
or PDO
extend the database operation. Database character Set Please try to use it utf8
or utf8mb4
(better).